Re: Simple Password Strength Checker Review Help needed
Steven D'Aprano
I don't know much about pygtk and Glade, but I can make a couple of
comments:
> class PassChecker:
>
> def on_check_button_toggled(self, button):
> if self.pass_entry.get_visibility():
> self.pass_entry.set_visibility(False)
> else:
> self.pass_entry.set_visibility(True)
This can be written as:
self.pass_entry.set_visibility(not self.pass_entry.get_visibility())
Better still, get rid of the "set_visiblity" and "get_visibility"
methods. This isn't Java, setters and getters are rarely needed. Just
make an attribute "visible" and toggle it:
self.pass_entry.visible = not self.pass_entry.visible
> def on_guidelines_button_clicked(self, button):
> message = "Here are some guidelines to be followed while
> choosing password.\n\
[...]
It is best to write such long strings as a triple-quoted string, to avoid
needing all those backslashes. Instead of:
message = "Here are some guidelines... \n\
blah blah blah \n\
blah blah"
it is better to write:
message = """Here are some guidelines...
blah blah blah
blah blah"""
> def on_pass_entry_changed(self, text_entry):
> password = self.pass_entry.get_text() strength =
> self.password_strength_checker(password)
>
> if strength >= 0.0 and strength <= 0.20:
> strength_in_str = "Very Week"
Python allows you to write multiple comparisons like this:
if 0.0 <= strength <= 0.20:
strength_in_str = "Very Weak"
elif 0.20 < strength <= 0.40:
strength_in_str = "Weak"
Note also the correct spelling of weak. ("Week" is seven days.)
> def password_strength_checker(self, password):
>
> if not password:
> return 0.0
>
> # Check for having same Characters
> has_same_characters = True
> first_letter = password[0]
> for i in range(1, password.__len__()):
You nearly never need to explicitly call double-underscore methods like
__len__. The above is better written as:
for i in range(1, len(password)):
> if not first_letter == password[i]:
> has_same_characters = False
> if not has_same_characters:
> break
> if has_same_characters:
> return 0.0
I'm not sure what you're trying to do here. By the names, I think you're
looking for any repeated characters, but judging by the code, you're only
checking to see if the *first* character is repeated.
If you want to check only the first character, this is best written as:
# get the first character, and see it if is in the rest of the string
first_repeated = password[0] in password[1:]
If you want to check for any duplicate:
any_duplicate = len(set(password)) != len(password)
If that's a bit too mysterious for you, try this:
for c in password:
# check each character for duplicates
if password.count(c) != 1:
print "character %s is duplicated" % c
I'm sure you can adapt that to do what you want.
> lower_alphabets_count = 0
> upper_alphabets_count = 0
> digits_count = 0
> special_chars_count = 0
> for i in range(0, password.__len__()):
Again, use len(password).
> char = password[i]
Since you *only* use i as an index to grab the ith character, this is
better written by iterating over the string itself:
for char in password:
...
> if char.isalpha():
> if char.isupper():
> upper_alphabets_count += 1
> else:
> lower_alphabets_count += 1
> elif char.isdigit():
> digits_count += 1
> else:
> special_chars_count += 1
if char.isupper():
upper_alphabets_count += 1
elif char.isupper():
lower_alphabets_count += 1
elif char.isdigit():
digits_count += 1
else:
special_chars_count += 1
> chars_count = [upper_alphabets_count, lower_alphabets_count,
> digits_count, special_chars_count]
>
> if password.__len__() < 8:
len(password)
> if not chars_count.__contains__(0):
> strength = 0.5
if not 0 in chars_count:
strength = 0.5
Hope this helps.
--
Steven
Paul Rubin
> Since this is my first app/program, can someone review my code (just
> over 150 lines) and help me improve my programming capabilities
I didn't look at the code. From a security point of view, the concept
of "password strength checking" is pretty dubious. If you want secure
passwords, generate them from a random number source and assign them to
the users. Don't have the users make up their own passwords. It's
relatively (compared to using a computer file exposed to remote internet
attacks) for users to write down the the random passwords on paper, as
long as they're a little bit careful. As Bruce Schneier put it:
"My wallet is already a secure container; it has valuable things in
it, and I have a lifetime of experience keeping it safe. Adding a
piece of paper with my passwords seems like a natural thing to do."
Steven D'Aprano
> "Mallikarjun(ಮಲ್ಲಿಕಾರ್ಜುನ್)" <mallik....@gmail.com>
writes:
>> Since this is my first app/program, can someone review my code (just
>> over 150 lines) and help me improve my programming capabilities
>
> I didn't look at the code. From a security point of view, the concept
> of "password strength checking" is pretty dubious. If you want secure
> passwords, generate them from a random number source
But why do they need to be random, if password strength is dubious?
*wink*
> and assign them to
> the users. Don't have the users make up their own passwords. It's
> relatively (compared to using a computer file exposed to remote internet
> attacks) for users to write down the the random passwords on paper, as
> long as they're a little bit careful.
I think you're missing a word there. Relatively secure perhaps?
The problem is that most users will not be a little bit careful. They
will stick the password on a Post-it note on the side of the monitor, or
write it down and lose it, or leave the paper sitting on their desk while
they go to lunch.
> As Bruce Schneier put it:
>
> "My wallet is already a secure container; it has valuable things in
> it, and I have a lifetime of experience keeping it safe. Adding a
> piece of paper with my passwords seems like a natural thing to do."
And people frequently lose their wallets.
Besides, with the number of on-line identities and passwords many people
need, you'll need a separate wallet just for the passwords. I have
something of the order of 80 or 90 passwords written down, and another
dozen in my head. Because there are so many, I need to keep account
information with them: there's no way I'd be able to remember what the
passwords were for otherwise.
That's way too much to put in my wallet, and even if I did, if I lost it,
I'd lose *everything*. Not only would some stranger likely have access to
all my accounts, but I wouldn't even be able to identify what those
accounts were, let alone authenticate into them.
So I need at least one (and likely more) password I can keep in my head,
so I can encrypt my list of rarely-used passwords. Because it needs to be
something I can remember, it can't be a random string of digits, but it
needs to *look* random. In other words, it needs to be a good password
that is meaningful to me, but not to anyone else, and since I'm really
bad at judging randomness (like nearly all humans), I'll take all the
help I can get.
--
Steven
Paul Rubin
> I think you're missing a word there. Relatively secure perhaps?
Yes, something like that, oops.
> The problem is that most users will not be a little bit careful. They
> will stick the password on a Post-it note on the side of the monitor,...
Right, that's what I mean about careful. But, people do generally
develop skills at keeping important bits of paper (like their drivers'
license) safe.
> Besides, with the number of on-line identities and passwords many people
> need, you'll need a separate wallet just for the passwords. I have
> something of the order of 80 or 90 passwords written down..
I don't have anywhere that many important ones. For the less important
ones I just use my browser's auto-fill feature (i.e. the passwords are
stored in the browser). I generate important ones with a program (2-6
words selected at random from a dictionary). When I generate a new one,
I write it on a slip of paper that I keep in my pocket and refer to as
necessary. After referring to the paper a few times I usually remember
the password and don't need the paper any more, so I dispose of it.
> So I need at least one (and likely more) password I can keep in my
> head, so I can encrypt my list of rarely-used passwords.
If there's just one, and it's a phrase, you can remember it.
> since I'm really bad at judging randomness (like nearly all humans),
Right, humans are no good at generating or judging randomness. It's
best to use an entropy source. www.diceware.com explains how to do it
with dice and a wordlist they supply. I use a program something like
the following instead:
from math import log
dictfile = '/usr/share/dict/words'
def genrandom(nbytes):
with open('/dev/urandom') as f:
return int(f.read(nbytes).encode('hex'), 16)
def main():
wordlist = list(x.strip() for x in open(dictfile) if len(x) < 7)
nwords = len(wordlist)
print "%d words, entropy=%.3f bits/word"% (
nwords, log(nwords, 2))
print '-'.join(wordlist[genrandom(10)%nwords] for i in xrange(5))
main()
You can also use the diceware word list instead of the unix wordlist,
of course.
Aahz
Paul Rubin <no.e...@nospam.invalid> wrote:
>
>From a security point of view, the concept
>of "password strength checking" is pretty dubious. If you want secure
>passwords, generate them from a random number source and assign them to
>the users. Don't have the users make up their own passwords. It's
>relatively (compared to using a computer file exposed to remote internet
>attacks) for users to write down the the random passwords on paper, as
>long as they're a little bit careful. As Bruce Schneier put it:
>
> "My wallet is already a secure container; it has valuable things in
> it, and I have a lifetime of experience keeping it safe. Adding a
> piece of paper with my passwords seems like a natural thing to do."
Actually, I treat my wallet as a source of trouble and only keep
replaceable items in it.
--
Aahz (aa...@pythoncraft.com) <*> http://www.pythoncraft.com/
import antigravity
John Nagle
> Dear friends,
> I am newbie to Python + pygtk + Glade and recently wrote a simple password
> strength checker app.
> Since this is my first app/program, can someone review my code (just over
> 150 lines) and help me improve my programming capabilities
Here's my classic "Obvious password detector":
http://www.animats.com/source/obvious/obvious.c
This prevents dictionary attacks using an English dictionary, but
needs only a small bit table and does no I/O.
John Nagle